Invalid message id (NGX R60)

[Danielpb]

This might help with the super netting issues:

NOTE BACKUP ALL FILES BEFORE MAKING ANY CHANGES.

If your using communities then you try changing the setting to per host instead of subnet. Sometime this resolves the issues with out performing the steps below.


-------------

The problem is that Check Point using super netmasking, and the cisco can't read correctly this encryption domains.
To resolve this issue follow my instruction:

1.Change to environment to specific CMA 2.backup file objects_5_0.C that found in dir of current CMA conf 3.stop the current CMA 4.edit objects_5_0.C
Change the value of :ike_use_largest_possible_subnets (true)
to
:ike_use_largest_possible_subnets (false) 5.start the current CMA 6.push the policy

Best Regards,
================================================== ================================================== ===============

To resolve this supernetting issue, configure the max_subnet_for_range table in $FWDIR/lib/user.def on the Management Server (SmartCenter).

Modifying user.def file to manually define networks to encrypt traffic to/from
Backup $FWDIR\lib\user.def file.

Edit $FWDIR\lib\user.def file:

Sample 1

--------------------------------------------------------------------------------

#ifndef __user_def__
#define __user_def__

//
// User defined INSPECT code
//

max_subnet_for_range = {
<0.0.0.0, 194.29.39.255; 255.255.255.0>,
<194.29.40.0, 194.29.50.255; 255.255.255.255>,
<194.29.51.0, 255.255.255.255; 255.255.0.0>
};

#endif
Ex

--------------------------------------------------------------------------------
In Example 1, the configuration would work in the following way:
- For the host IP 194.29.23.1 the network IP would be 194.29.23.0/24
- For the host IP 194.29.46.45 the network IP would be 194.29.46.45 (just one IP)
- For the host IP 194.29.102.1 the network IP would be 194.29.0.0/16